Combating the Rise of the K-12 Cyberattack

Superintendents draw on their districts’ recent victimization to encourage expediency and strategic planning

On a Wednesday in January 2022, Albuquerque Public Schools’ technology team detected something fishy in the student information system. Hackers had breached the district’s Synergy Student Information System with a ransomware attack.

“We shut everything down immediately,” says Scott Elder, superintendent of the 70,000-student district. “We were forced to close Thursday and Friday” before reopening after Martin Luther King Jr. Day.

The attack was part of an intensifying trend of cyber­attacks on K-12 districts as criminals often perceive schools to be easy prey. Cyberthieves presume schools maintain low defenses compared with large corporations or federal government agencies. Hackers also recognize that public schools benefit from consistent, stable funding pipelines compared to many private companies.

Ransomware attacks last year impacted 1,981 schools across the U.S., almost double the 1,043 schools affected in 2021, according to a report by anti-malware company Emsisoft. Albuquerque was one of 45 U.S. school districts hit by ransomware attacks in 2022, the report said.

The uptick has challenged superintendents nationwide to respond more quickly and effectively to cyberattacks, to step out of their familiar comfort zone as educators and to prioritize tech defense at a higher level.

In Albuquerque, Elder says the cybersecurity contingency plan triggered the school shutdown as well as a process to review movement of students’ data. But because the district had no vendor contracts specifically for cyberattack response, the district made an emergency school board request for more than $250,000, to be paid to the cyber forensics company conducting the audit, the superintendent says.

The contract yielded immediate results, as auditors determined that hackers had encrypted students’ personally identifiable information without moving the data anywhere.

From the experience, the district learned future cybersecurity contracts should be executed before an intrusion occurs.

Assessing Vendors

Hackers often target school districts through their business vendors — such as Synergy SIS — as education companies store large tranches of teachers’ and students’ personal information, regarded as currency for cyberthieves seeking to profit from data theft. K-12 cyberattacks are so common the Consortium for School Networking released a tool for districts to assess the strength of vendors’ information, data and cybersecurity policies before agreeing to a service contract.

The FBI and local police department advised the Albuquerque district to generalize descriptions of the cyberattack and to judiciously omit in public communications the more granular details of the law enforcement investigation, Elder says.

“You don’t know what the bad actors are listening to,” he says. “You want to make sure you just give them enough information to say, ‘The data breaches occurred. At this time, it doesn’t appear that anything’s been compromised. We’re moving forward [with] mitigation, and as soon as we can open [schools], we’ll let you know.’”

Because no data had been compromised, the attack did not force district officials to consider paying ransom.

In the aftermath of the incident, the district created a new position for a chief security officer to specifically focus on cybersecurity, a change from the district’s former treatment of cybersecurity as one among several information technology priorities.

Cyber-Protection Emphasis

For many superintendents, cybersecurity is a secondary consideration in a world of competing financial, academic and social priorities. Often, school districts don’t think to prioritize cybersecurity with any specific financial or strategic direction until an intrusion occurs.

Shannon Goodsell, superintendent of the 2,000-student Window Rock Unified School District, located in Navajo territory in Arizona, called the recent surge in K-12 cyberattacks “uncharted waters,” adding that it’s testing school leaders in new ways.

“I’m an educator,” Goodsell says. “I teach kids. I don’t do cybersecurity. We hire people to do that, and I think that you’ll find that with 95 percent of all the superintendents that you talk to.”

But when Ivory Coast-based hackers launched a Trojan Horse attack on Window Rock’s financial data in August 2022, Goodsell entered the fray. The thieves put up a firewall around the data and held it for $1 million ransom.

“We told them no, and we kind of stalled,” he says. “We had our insurance company techies battle the internet pirate techies in what I call the ‘Great Techie War’ of us trying to hack their firewall.”

Window Rock’s cyber insurance company for two weeks couldn’t hack the thieves’ firewall. But then Goodsell devised a solution: a double firewall. “What I ordered then is [to] put up an encrypted firewall around their firewall, [which] sealed all of that financial data for forever,” he says.

Neither Window Rock nor the hackers could access the data at that point, reflecting a kind of stalemate between the two sides. Window Rock worked with the FBI, CIA and Department of Homeland Security to ensure students’ and teachers’ data remained safe after the breach.

Though employee payroll and vendor payments were two weeks late because of the breach, no students’ or teachers’ personal data were compromised, according to Sheldon Yazzie, director of technology for Window Rock schools. Staff were reassured they would get repaid for any overdraft fees through the district’s insurance carrier.

Fortunately and proactively, the district had purchased cyber insurance the third week of July 2022, about two weeks before the attack, according to a CoSN blog post by Goodsell. Though the insurance was in place, the superintendent said he would give his district a cybersecurity rating of 4 out of 10 at the time of the breach.

Window Rock USD had reached out to all K-12 districts in Navajo and Apache counties to get advice on responding to the breach, yet 90 percent of those districts didn’t have a cybersecurity response plan in place, Yazzie says. Neither did Window Rock.

But even as districts look to nestle cybersecurity into their ever-evolving priority lists, Yazzie recommends that districts take several baby steps to shore up their IT networks.

These baby steps include some form of domain name system, or DNS, protection, which filters unwanted traffic and puts suspicious URLs on a blacklist. Yazzie also suggests the use of local administrator password solutions, which randomize passwords on servers, minimizing the ability of cybercriminals to access entire networks if they somehow gain access to these passwords.

Further, districts can fortify their cybersecurity through routine use of multifactor authentication and through strengthened endpoint detection and response services, which are installed on users’ devices and essentially merge antivirus and malware detection functions.

Spear-Phishing Detection

The 39,000-student Beaverton Public Schools, located in a suburb of Portland, Ore., was alerted to a spear-phishing attack about seven years ago after the manager for a high school construction project noticed none of the applications on her district-issued laptop were working correctly.

The hackers crafted a fake e-mail posing as one of the companies she did business with, according to Beaverton’s chief information officer, Steven Langford. The e-mail requested the manager approve some adjustments for the $180 million project and took her to Adobe’s sign-in page. Her login failed, but cybercriminals now had her credentials.

The Nigeria-based hackers hoped that obtaining the credentials would set the stage to wire-transfer some project funds into their account.

But Beaverton benefited from sound accounting practices that prevented wire transfers at the time, Langford says. The district policy requires that bank information is never provided over the phone, even if a caller identifies him or herself as an employee of a district vendor.

With the stolen credentials, the hackers’ “quick score” would have been the finance account numbers, Langford says, and the FBI had informed the district that the hackers hunted hundreds of victims this way. “They were monitoring, waiting for the [money] to come in, so they could make the transfer, make the switch, pull the money and go,” he says.

The school district already was using role-based security at the time, but since then has implemented virtual private network access for critical applications, intrusion-detection applications to monitor anomalous traffic and multifactor authentication, among other measures.

Cloud Data Transfers

Though it’s never good when a cyberattack hits a school district, the summer 2019 timing of cyberterrorists’ intrusion into the financial system of Coventry Public Schools, located southwest of Providence, R.I., blunted the potential educational impact on the district’s 5,000 students.

The district’s insurance company paid about $300,000 in ransom to Eastern Europe-based cyber thieves after the hackers encrypted the district’s financial system in July 2019, according to Craig Levis, who was Coventry’s superintendent at the time. As soon as he became aware the attack was ransomware-based, he gave the cyber insurance company broad control over the technical and tactical aspects of the response.

The ransom payment and negotiation yielded a digital key that allowed the district to regain access to its financial system. To independently troubleshoot the problem without paying ransom would have taken months, Levis says.

“The state police [told] us not to pay their ransom for attack,” he says. “But we needed our financial data back.”

Despite the criminals’ loathsome activities, the hackers had an “honor amongst thieves” reputation, wherein their victims regularly reported they received their data back following the ransom payment, Levis says.

The timing of the mid-summer attack allowed the district to fully rectify the data issue before students returned to school in the fall. But unanticipated issues arose in the days after the breach. Coventry’s servers went down for five days, catalyzing a shutdown of the digitally controlled HVAC system in the district’s middle schools. Black mold spread throughout the facilities, Levis says.

Insurance covered $500,000 in mold remediation during the following three weeks.

Summer break gave the district ample time to wipe clean all of its Chromebooks and desktops of “any information or any software” after the intrusion, Levis says. Those devices were reloaded with proper software before the start of school.

Coventry transferred all financial data from physical servers to the secure cloud because bad actors had poked around those physical servers for several months, Levis says. It’s quite easy for hackers to gain access to targets’ personal data residing in physical servers that have already been breached.

“All it takes is somebody opening up an attachment,” Levis says. “That bad actor has access to everything.” 

Brian Bradley is a freelance education writer in Bunker Hill, W.Va.